securing hardening unix l.
Skip this Video
Download Presentation
Securing/Hardening UNIX

Loading in 2 Seconds...

play fullscreen
1 / 39

Securing/Hardening UNIX - PowerPoint PPT Presentation

  • Uploaded on

Securing/Hardening UNIX. Section 7. Hardening Solaris. Session objective: This section is to show what and how to harden a Unix Platform - with a strong emphasis on what a hacker will do to you if you forget What is hardening?

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Securing/Hardening UNIX' - raine

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
hardening solaris
Hardening Solaris
  • Session objective: This section is to show what and how to harden a Unix Platform - with a strong emphasis on what a hacker will do to you if you forget
  • What is hardening?

Making secure by improving file permissions, removing unnecessary services and patching the system

recap on unix security
Recap on Unix Security

Authorisation is by User and Group

User / uid obtained at login from /etc/passwd

Password stored in /etc/shadow

Group / Gid is stored in /etc/group

AIX - /etc/security/user

- /etc/security/passwd

 HPUX -/tcb/auth*

etc passwd

# more passwd






lp:x:71:8:Line Printer Admin:/usr/spool/lp:

smtp:x:0:0:Mail Daemon User:/:

uucp:x:5:5:uucp Admin:/usr/lib/uucp:

nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico

listen:x:37:4:Network Admin:/usr/net/nls:


noaccess:x:60002:60002:No Access User:/:

nobody4:x:65534:65534:SunOS 4.x Nobody:/:

www:x:2000:200:WWW User:/export/home/www:/bin/sh

etc group

$ cat group


















etc shadow

$ # cat shadow














file permissions
File permissions
  • rwx-rwx-rwx
  • Owner-group-everyone else
  • Patching
  • Service removal
  • Security settings
  • Default permissions
  • File permissions
  • ASET
  • Tripwire
  • Commercial Applications

Why? – to remove security bugs

Two tools built in to manage patches:

  • patchadd to install directory format patches to a Solaris system
  • patchrm to remove patches on a solaris system

Some useful commands to manage patches:

  • ‘showrev –p’ shows all patches applied to the system
  • ‘pkgparam pkgid PATCHLIST’ shows all patches applied to the package identified by pkgid
  • ‘pkgparam pkgid PATCH_INFO_patch-number’ shows the installation date and name of host
  • ‘patchadd –p’ shows all patches applied to a system

 AIX – installp or smit


‘showrev –p’

# showrev

Hostname: Bankx

Hostid: 8388c2d53

Release: 5.8

Kernel architecture: sun4u

Application architecture: sparc

Hardware provider: Sun_Microsystems


Kernel version: SunOS 5.8 Generic 108528-09 June 2001

service removal inetd
Service removal - Inetd

Inetd – the super listener

    • Configuring this IS the NO. 1 major hardening task
    • Controlled by /etc/inetd.conf
    • How it can be used to hide network access once a machine is compromised or escalate access to root if writable.

To modify

  • # cp inetd.conf inetd.conf.old
  • # vi inetd.conf
  • Comment out services not needed & save
  • # ps –ef | grep inetd then note the process id
  • #/sbin/kill –HUP “process id from above”
service removal inetd13
Service removal - Inetd

Inetd.conf – before hardening (page 1)

$more inetd.conf


# Syntax for TLI-based Internet services:


# <service_name> tli <proto> <flags> <user> <server_pathname> <args>


# Ftp and telnet are standard Internet services.


ftp stream tcp nowait root /usr/sbin/in.ftpd in.ftpd

telnet stream tcp nowait root /usr/sbin/in.telnetd in.telnetd



service removal inetd14
Service removal - Inetd

Inetd.conf – before hardening (page 2)

Shell, login, exec, comsat and talk are BSD protocols.


shell stream tcp nowait root /usr/sbin/in.rshd in.rshd

login stream tcp nowait root /usr/sbin/in.rlogind in.rlogind

exec stream tcp nowait root /usr/sbin/in.rexecd in.rexecd

comsat dgram udp wait root /usr/sbin/in.comsat in.comsat

talk dgram udp wait root /usr/sbin/in.talkd in.talkd


# Must run as root (to read /etc/shadow); "-n" turns off logging in utmp/wtmp.


uucp stream tcp nowait root /usr/sbin/in.uucpd in.uucpd

# Tftp service is provided primarily for booting.

tftp dgram udp wait root /usr/sbin/in.tftpd in.tftpd

# tftp dgram udp wait root /usr/sbin/in.tftpd in.tftpd -s /tftpboot

# Finger, systat and netstat give out user information which may be


service removal inetd15
Service removal - Inetd

Inetd.conf – before hardening (page 3)

finger stream tcp nowait nobody /usr/sbin/in.fingerd in.fingerd

echo stream tcp nowait root internal

daytime stream tcp nowait root internal

daytime dgram udp wait root internal

chargen stream tcp nowait root internal

# RPC services syntax:

# <rpc_prog>/<vers> <endpoint-type> rpc/<proto> <flags> <user> \

# <pathname> <args>

# Solstice system and network administration class agent server

100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind

rquotad/1 tli rpc/datagram_v wait root /usr/lib/nfs/rquotad rquotad

# The rusers service gives out user information. Sites concerned

# with security may choose to disable it.

rusersd/2-3 tli rpc/datagram_v,circuit_v wait root /usr/lib/netsv c/rusers/rpc.rusersd rpc.rusersd

service removal inetd16
Service removal - Inetd

Inetd.conf – after hardening

$more inetd.conf


# Syntax for TLI-based Internet services:


# <service_name> tli <proto> <flags> <user> <server_pathname> <args>

echo stream tcp nowait root internal


Some sites harden the configuration still further with a tcp wrapper

service removal nfs
Service removal - NFS

NFS – the Network File System daemons

    • Configuring this IS the NO2 major hardening task
    • Controlled by /etc/dfs/dfstab which controls what is exported(I.e shared in Bill-Gates-Speak)
    • If not needed, all daemons should be not started rc3.d/s15nfs.server

To modify a share to limit access to certain machines

  • # vi /etc/dfs/dfstab
  • Change share statement from

share -F nfs -d “apps" /apps


share -F nfs -o rw= -d “apps" /apps

service removal nfs18
Service removal – NFS

 AIX – /etc/exports

 HPUX – /etc/exports

service removal nfs 2
Service removal – NFS (2)

Identify the Network File System daemons

# ps –ef then note the processes


root 108 1 0 Dec 22 ? 0:00 /usr/sbin/rpcbind

root 21787 21784 0 10:03:51 pts/1 0:00 ps -ef

root 110 1 0 Dec 22 ? 0:00 /usr/sbin/keyserv

root 146 1 0 Dec 22 ? 0:00 /usr/lib/nfs/lockd <

root 144 1 0 Dec 22 ? 0:00 /usr/lib/nfs/statd <

root 161 1 0 Dec 22 ? 0:08 /usr/lib/autofs/automountd

root 199 1 0 Dec 22 ? 0:00 /usr/lib/lpsched

root 269 1 0 Dec 22 ? 0:04 /usr/lib/snmp/snmpdx -y -c /etc/snmp/conf

root 296 269 0 Dec 22 ? 0:00 mibiisa -p 32790

root 284 1 0 Dec 22 ? 0:00 /usr/lib/dmi/snmpXdmid -s avon

root 294 291 0 Dec 22 ? 0:03 /usr/lib/saf/ttymon

root 288 1 0 Dec 22 ? 0:00 /usr/dt/bin/dtlogin -daemon

root 13496 1 0 Jan 15 ? 0:13 /usr/lib/sendmail -bd -q15m

root 17075 1 0 Jan 19 ? 0:34 /usr/sbin/in.named


Also remove - nfsd mountd biod

service removal
Service removal

Generally, you should not start unnecessary daemons

These may include:

  • Snmp = /usr/lib/snmp/snmpdx & mibiisa
  • RPC = /usr/sbin/rpcbind

Rpcinfo –p

Netstat –an

 AIX – portmap

service removal21
Service removal
  • Ipsched
  • Routed
  • vold
security settings
Security settings

Security settings:

  • /etc/passwd – check permissions, ensure integrity and locked accounts have a shell of /bin/false
  • /etc/shadow & group – check permissions and ensure integrity
  • /etc/default/login – restrict root access to console by:
    • CONSOLE=/dev/console
    • AIX – /etc/security/user or /etc/security/login
    • HPUX - /etc/securetty
  • /etc/default/inetinit - TCP initial sequence
security settings23
Security settings

Solaris - Ip stack settings

$ ndd -get /dev/ip ip_forward_directed_broadcasts


# ndd -get /dev/ip ip_forward_src_routed


# ndd -get /dev/ip ip_ignore_redirect


# ndd -get /dev/ip ip_respond_to_address_mask_broadcast


# ndd -get /dev/ip ip_respond_to_echo_broadcast


# ndd -get /dev/ip ip_respond_to_timestamp


# ndd -get /dev/ip ip_send_redirects


# ndd -get /dev/tcp tcp_rev_src_routes


security settings24
Security settings

AIX - Ip stack settings

$ no –o ipforwarding

$ no –o ipsendredirects

$ no –o nonlocsrcroute

$ no –o subnetsarelocal

default permissions keeping files tight
Default permissions – keeping files tight
  • The umask determines the default file permission for new files created
  • Normally set in /etc/default/login /etc/profile
  • 3 digits such as 077 or 022

$ umask 022

$ > testfile

$ls –l testfile

-rwxr-xr-x 6 root sys 404 Jan 6 2000 testfile

file permissions26
File permissions

Important categories:

  • System start-up scripts
  • System configuration file
  • Home directories
  • Cron
  • /dev esp kmem or drum
  • /proc
  • All other files
file permissions system start up scripts
File permissions -System start-up scripts

Unix start-up sequence:

  • System boots and loads kernel
  • System kernel forks to create init pid 1
  • Init reads /etc/inittab and runs any programs specified
  • In Solaris/HPUX 10, it then runs the scripts /etc/rc[0-5].d/*
  • In AIX / HPUX 8-9 , it then runs the scripts (i.e. /etc/rc.tcpip ) as defined point 3

If a hacker can add a command into either /etc/rc[0-5].d/* or /etc/inittab, it will be able to update an file on the system

file permissions system configuration file
File permissions - System configuration file

A selection of key files and what a hacker might do them

  • /etc/hosts.equiv – add + + to the file
  • /etc/hosts – change the address of a host
  • /etc/pam.conf – change authentication (solaris only)
  • /etc/inetd.conf – add new service
  • /etc/profile – add “chmod 777 /etc/shadow”
  • /etc/nsswitch.conf – change name resolution/authentication
  • /etc/Resolv.conf – change name server (could effect trusted hosts)
  • /etc/passwd - change uid to 0
  • /etc/shadow - change root password
file permissions home directories
File permissions – home directories

Important files to look at:

  • .rhosts
  • .profile
  • .kshrc .netrc
  • .login .logout
  • .exrc
file permissions general
File permissions - general

Things to look for

  • Suid files
  • Sgid files
  • World writeable files
  • World writeable directories
file permissions31
File permissions
  • Umtp and umtpx world write permissions
  • Files with no user associated with it
  • Files with no group associated with it
radical hardening
Radical hardening
  • remove root Suid bit if possible
  • remove gcc or cc
  • Mount file systems readonly
  • Large main memory – small swap
  • Automated Security Enhancement Tool
  • Comes with all new sun operating systems
  • Low setting ensures that all system files are set to release values. Reports potential weaknesses but does not make any changes
  • Medium Setting makes some changes to security settings but do not affect system services
  • High setting makes more changes to security settings and security takes precedence to system behaviour

Task that ASET performs

  • Systems file verification check
  • System files check
  • User/Group check
  • System configuration files check
  • Environment check
  • eeprom check
  • Firewall setup
aset output
ASET output

£ aset –p high

*** Begin Enviroment Check ***Warning! umask set to umask 022 in /etc/profile - not recommended.*** End Enviroment Check ***======= ASET Execution Log =======ASET running at security level highMachine = server; Current time = 0114_20:26aset: Using /usr/aset as working directoryExecuting task list ... firewall env sysconf usrgrp tune cklist eepromAll tasks executed. Some background tasks may still be running.Run /usr/aset/util/taskstat to check their status: /usr/aset/util/taskstat [aset_dir]where aset_dir is ASET's operating directory,currently=/usr/aset.When the tasks complete, the reports can be found in: /usr/aset/reports/latest/*.rpt

aset output ii
ASET output II

where aset_dir is ASET's operating directory,currently=/usr/aset.When the tasks complete, the reports can be found in: /usr/aset/reports/latest/*.rptYou can view them by: more /usr/aset/reports/latest/*.rpt*** Begin Firewall Task ***IP forwarding already disabled.IP forwarding already disabled in rc files.ROUTED daemon already configured to be opaque.*** End Firewall Task ****** Begin System Scripts Check ***cp: /usr/aset/archives/inetd.conf.arch.high: No space left on deviceCannot archive /etc/inetd.conf. Task skipped!Task firewall is done.Task env is done.Task sysconf is done.Task usrgrp is done.*** Begin Tune Task ***

aset output iii
ASET output III

*** Begin Tune Task ***... setting attributes on the system objects defined in /usr/aset/masters/tune.high*** Begin User And Group Checking ***Checking /etc/passwd ...Checking /etc/shadow ...Warning! Shadow file, line 1, no password: root::6445::::::... end user check.Checking /etc/group ...... end group check.*** End User And Group Checking ***

  • Monitors file changes, verifies integrity and notifies of any violation on data at rest on network servers
  • Identifies attributes such as file size, access flags, write time, file permissions, file add, file delete, file modifications and etc
  • Supports Windows NT4, Win2K, Solaris 2.6,2.7 and 2.8, AIX 4.3, HP-UX 11.0 and 11i, FreeBSD 4.2 and 4.3 and some Linux flavours
commercial applications
Commercial Applications
  • Axent ESM
  • CA Unicenter
  • Bindview